Bishop Fox to Reveal Major Vulnerabilities in Home, Office, and Building Security Systems at Black Hat Las Vegas & DEF CON
Phoenix, Ariz. (PRWEB) July 19, 2013 -- Later this month, researchers at Bishop Fox (formerly Stach & Liu), one of the industry’s leading enterprise security consultancies, will reveal critical vulnerabilities in many of the world’s most widely-used building security systems and RFID (radio frequency identification) based badging systems.
The upcoming Black Hat USA 2013 conference, which takes place from July 29-August 1 in Las Vegas, features Bishop Fox Senior Security Analysts Drew Porter and Stephen Smith and Partner Fran Brown presenting two separate talks that showcase methods of bypassing physical security systems used by millions in buildings all over the globe. Brown’s talk will also be presented at the annual DEF CON security conference, which takes place in Las Vegas from August 1-4.
Porter and Smith’s talk, “Let’s Get Physical: Breaking Home Security Systems and Bypassing Building Controls” (http://www.blackhat.com/us-13/briefings.html#Porter), will demonstrate methods of jamming communications and fooling the digital sensors commonly used in many building security systems, both at home and in the office. Brown’s talk, “RFID Hacking: Live Free or RFID Hard” (http://www.blackhat.com/us-13/briefings.html#Brown), will reveal vulnerabilities in badging systems widely used to control access to buildings and secured areas.
“Taken together, these two talks highlight game-changing vulnerabilities that show how virtually any building or secure area is susceptible to entry,” said Brown. “We believe that this information will and should change the way businesses and homeowners defend their buildings against physical threats.”
In their talk, Porter and Smith demonstrate flaws in the digital systems and sensors used by more than 36 million office, building, and home security systems in the United States. Both researchers will give a detailed description of methods that can be used to prevent the tripping of commonly-used building security sensors, enabling an attacker to bypass electronic alarms and surveillance systems to access secure doors without setting off an alarm. Using these methods and tools, an attacker could easily break into any home and many businesses without triggering the alarm systems installed within.
“What’s downright frightening about these vulnerabilities is how effective and damaging they are when exploited,” said Porter. “The research we’ve done affects millions of homes and buildings.” The methods Porter and Smith will showcase allow for undetectable covert entry, leaving no physical sign of compromise. The two researchers will discuss how alarm system signals can be intercepted, with no warnings sent and local alarms being shut down. “We believe this research should change the way enterprises and homeowners view electronic security systems, and hopefully, the way manufacturers build, install, and market them,” Porter said.
Brown’s talk on RFID Hacking will be presented at both the Black Hat USA and DEF CON conferences. Brown will demonstrate methods of capturing and abusing RFID proximity badge information, essentially enabling attackers to disguise themselves as authorized entrants to gain access to any secure area that requires a RFID badge for entry. RFID proximity badging systems are among the most popular and are used in millions of buildings and businesses across the globe.
“The susceptibility of RFID badging systems has been known for some time, but until now, the attacker had to be within centimeters of a legitimate badge in order to read its data,” explained Brown. “We’ll be demonstrating a method of attaining badge data from several feet away, showing it can be done without the victim’s knowledge. This makes it possible for someone to copy a badge using a much wider array of social engineering tactics, and then come back later with the cloned badge and gain entry to secured areas.”
In his talk, Brown will demonstrate methods of cracking higher-privilege badges in order to gain access to high security areas such as data centers or vaults. He will also outline methods for creating cloned cards and planting physical backdoor devices into a secure area so that the attacker can come and go at will.
“This talk will change the way many businesses view and use RFID proximity badging technology,” said Brown. “We will also offer recommendations for preventing the theft of badge data.”
The two talks are representative of Bishop Fox’s unique approach to enterprise security - developing highly tailored security programs for its clients. The firm is made up of an offensive practice and a defensive practice, and so is positioned on the cutting-edge of both threat identification and defensive strategy.
“The manner in which we will share our research, emphasizing not only the threats but also the solutions, reflects Bishop Fox’s philosophy of contributing to both attack and defense,” said Vincent Liu, Partner at Bishop Fox. “We believe that offensive penetration testing is only one side of the coin. Identified vulnerabilities should inform and improve an organization’s approach to enterprise defense.”
Bishop Fox provides a wide range of offensive and defensive security consulting for a broad array of businesses, governments, and private organizations. For more information, visit http://www.bishopfox.com.
About Bishop Fox
Bishop Fox is a global security consulting firm. We are trusted advisors to the Fortune 1000, financial institutions, and high-tech startups—helping to secure commerce, data, infrastructure, and intellectual property. Founded in 2005, our team is made up of dedicated individuals with a combined 350+ years of experience working in the Fortune 500, international security consultancies, and government intelligence.
By combining both offense and defense, our consultants work to develop highly tailored programs to secure our clients against present and future threats. We work to provide security needs across a wide range of industries: from frozen waffle factories to nuclear power plants, and from glass cockpit software to streaming digital content.
For more than a decade, Bishop Fox professionals have been authoring best-selling secu¬rity books, such as Web Application Security: A Beginners Guide, Hacking Exposed: Web Applications 3rd edition, and Hacking Exposed: Wireless, 1st and 2nd Editions. Our team has been published in leading media outlets including DarkReading; quoted in newspapers like USA Today; and interviewed on local, national, and international television. As regular presenters at conferences such as Black Hat, DEF CON, BlueHat, and RSA, we continually share our research with the security community.
###
Arissa Aguilera, Bishop Fox (Formerly Stach & Liu), http://www.stachliu.com/, 9163846884, [email protected]
Share this article